dChan
Anonymous ID: c12642 March 10, 2019, 7:24 a.m. No.5607018   🗄️.is 🔗kun   >>7024 >>7184

>>5606903

>>5606868

>>5606803

>>5606832

 

>https://thehackernews.com/2016/05/android-kernal-exploit.html

 

I've been thinking about this.

Q#2975

Every barrel has a bad apple.

But, in this case, bad apples do not spoil the bunch.

>The core is what counts.

The SWAMP is EVERYWHERE.

Q

 

Is Q not talking about Apple here, but rather the multicore CPUs found in workstations, servers and phones?

 

Anybody 'member this drop from way back? (Dec 8 2017)

Q#303

>Renee J James

 

She used to work for Intel, left to form Ampere Computing in Nov 2017 with a few other Intel and Apple folks. They provide custom Arm processors for cloud hardware. https://amperecomputing.com/product/

 

Funded by the Carlyle Group

https://www.carlyle.com/our-business/portfolio-investments

 

Renee James knows the Founder of [Crowdstrike]

https://www.esquire.com/news-politics/a49902/the-russian-emigre-leading-the-fight-to-protect-america/

 

Before Alperovitch founded CrowdStrike, the idea that attribution ought to be a central defense against hackers was viewed as heresy. In 2011, he was working in Atlanta as the chief threat officer at the antivirus software firm McAfee. While sifting through server logs in his apartment one night, he discovered evidence of a hacking campaign by the Chinese government. Eventually he learned that the campaign had been going on undetected for five years, and that the Chinese had compromised at least seventy-one companies and organizations, including thirteen defense contractors, three electronics firms, and the International Olympic Committee.

 

That the Chinese government had been stealing information from the private sector was a shock to the security industry and to many U. S. officials. Almost no one thought that foreign governments used the Internet for anything other than old-fashioned espionage. "This was not spy versus spy," says John Carlin, who was until recently the assistant attorney general for national security. The hacking was economic sabotage.

 

While Alperovitch was writing up his report on the breach, he received a call from Renee James, an executive at Intel, which had recently purchased McAfee. According to Alperovitch, James told him, "Dmitri, Intel has a lot of business in China. You cannot call out China in this report."

 

Alperovitch removed the word China from his analysis, calling the operation Shady Rat instead. He told me that James's intervention accelerated his plans to leave Intel. (James declined to comment.) He felt that he was "now being censored because I'm working for a company that's not really an American company."

Ampere has deployed it's chips to Lenovo (comped) and several unnamed others.

https://www.eetimes.com/document.asp?doc_id=1333743#

From page 2

Low cost

But here’s the rub: Is low cost enough enticement for server companies to switch from Intel’s Instruction Set Architecture to Arm?

 

Taylor noted that each customer faces different issues. But if the customer is using open-source software with Linux roots, “a vast majority of software is already ported and optimized to Arm-based processors,” he said. “We already have everything from compilers, runtime to library, and OS — with all the fundamental elements in Arm.”

Anonymous ID: c12642 March 10, 2019, 7:28 a.m. No.5607061   🗄️.is 🔗kun   >>7085

>>5607024

Interesting idea.

SW = software?

AMP = ampere?

 

https://www.computerworld.com/article/2523825/cloud-computing-a–security-nightmare—says-cisco-ceo.html

"I think it's really going to be a focal point of a lot of our work in the cybersecurity area," said Ronald Rivest, an MIT computer science professor and noted cryptographer, speaking during a conference panel Tuesday. "Cloud computing sounds so sweet and wonderful and safe … we should just be aware of the terminology, if we go around for a week calling it swamp computing I think you might have the right mind-set."

Anonymous ID: c12642 March 10, 2019, 7:31 a.m. No.5607085   🗄️.is 🔗kun   >>7188

>>5607024

>>5607061

 

Yes, those people who pat you down at airports to make sure you don’t get on a plane with a bottle of water bigger than a thimble funded the Software Assurance Marketplace (SWAMP) to the tune of $23.4 million to create;

https://www.networkworld.com/article/2848119/the-swamp-how-to-avoid-the-coming-software-armageddon.html

 

The SWAMP is a publicly available, open source, no-cost service for continuous software assurance and static code analysis. Use multiple tools to regularly scan software at mir-swamp.org or download SWAMP-in-a-Box for on-premises software assurance. Plug-ins are available for Eclipse, Jenkins, and Git/Subversion.

https://continuousassurance.org/

Anonymous ID: c12642 March 10, 2019, 7:44 a.m. No.5607188   🗄️.is 🔗kun

>>5607085

This is interesting.

This SWAMP was set up by DHS as a cloud based service to scan software in order to find defects. Developers upload their code to this site, it scans and gives you a list of issue and you fix them.

 

This seems like a vulnerability in itself to me because If I was a bad guy, and I wanted to find 0day vulnerabilities, I'd want as much software as I could find. If you could have people send you the software that would be even better.

 

I'd report the obvious vulnerabilities, but I would pocket all the really good ones (0days) to keep for myself.

 

What are the chances that the 'Software Assurance Marketplace' cloud is using Ampere processors?

 

What if the blackhats had a backdoor into each Ampere processor?

 

They would have a massive DB of vulnerabilities at their fingertips.